b'         Review of Information Security at the Railroad Retirement Board\n                        Report No. 02-04, February 5, 2002\n\n\n\n                                EXECUTIVE SUMMARY\n\n\nThis report presents the detailed results of the Office of Inspector General\xe2\x80\x99s (OIG)\nreview of information security at the Railroad Retirement Board (RRB) which was\nperformed pursuant to the requirements of the Government Information Security Reform\nAct. The OIG\xe2\x80\x99s summary findings were submitted, in the prescribed format, to the Chair\nof the Railroad Retirement Board for transmittal to the Office of Management and\nBudget. The full text of that document is presented in Appendix I to this report.\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct and the Railroad Unemployment Insurance Act. The RRB paid out over $8 billion in\nbenefits during fiscal year 2001.\n\nOur review disclosed weaknesses in most areas of the RRB\xe2\x80\x99s information security\nprogram. Significant deficiencies in program management and access controls make\nthe agency\xe2\x80\x99s information security program a source of material weakness in internal\ncontrol over financial reporting.\n\nAccess controls cannot be considered fully effective due primarily to inadequacies in\npassword management. Our review identified numerous password management\nweaknesses in the mainframe, local area and wide area computing environments. The\nRRB\xe2\x80\x99s most notable problem is the agency\xe2\x80\x99s inability to police and enforce its recently\nadopted policy requiring the use of more complex password configurations. Other\nweaknesses observed during this review included: passwords that never expire,\ninactive, duplicate accounts, separated employees and former contractors whose\ninformation system privileges had not been revoked.\n\nThe overall effectiveness of the RRB\xe2\x80\x99s information security program has been\nundermined by a lack of training among key personnel. Employees with decision-\nmaking responsibility for information security have not had adequate formal training in\nits theory, principles and practice. In addition, the information security program lacks a\nstrong security framework with a central management focal point. These two\ndeficiencies are the underlying cause of many other control problems identified during\nthe audit.\n\x0cOur report also cites the agency for:\n\n   \xe2\x80\xa2   weaknesses in the security planning and evaluation process;\n   \xe2\x80\xa2\t inadequacies in the design of controls intended to restrict individual privileges to\n      the minimum required by their employment; and\n   \xe2\x80\xa2   a lack of documentation for some security-related activities.\n\nWe have made specific recommendations for corrective action to strengthen controls in\nthe areas of weakness identified by the audit. In their response to the draft audit report,\nthe Bureau of Information Services concurred with most of the OIG\xe2\x80\x99s recommendations\nand stated that many had already been implemented. The full text of management\xe2\x80\x99s\nresponse is presented in Appendix III to this report.\n\x0c                                    INTRODUCTION\n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) review of\ninformation security at the Railroad Retirement Board (RRB).\n\nBACKGROUND\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct (RRA) and the Railroad Unemployment Insurance Act (RUIA). These programs\nprovide income protection during old age and in the event of disability, death, temporary\nunemployment or sickness. The RRB paid out in excess of $8 billion in benefits during\nfiscal year (FY) 2001.\n\nThe RRB\xe2\x80\x99s information system environment consists of two general support systems\nand seven major application systems. The two general support systems are the data\nprocessing system, which supports all mainframe computing activity, and the end-user\ncomputing system, which supports the agency\xe2\x80\x99s local (LAN) and wide (WAN) area\nnetworks.\n\nThe major application systems correspond to the RRB\xe2\x80\x99s critical operational activities:\npayment of benefits, maintenance of compensation and service records, administration\nof Medicare entitlement, financial management, personnel/payroll, and the RRB\xe2\x80\x99s\nfinancial interchange with the Social Security Administration. Each application system\nis comprised of one or more programs.\n\nThe Office of Management and Budget (OMB) has published guidance to assist Federal\nmanagers in meeting the management control and computer security requirements of\nthe Computer Security Act of 1987, Chief Financial Officers Act of 1990, and the\nClinger-Cohen Act of 1996. OMB Circular A-123, \xe2\x80\x9cManagement Accountability and\nControl,\xe2\x80\x9d dated June 21, 1995, provides guidance on improving the accountability and\neffectiveness of Federal programs and operations by establishing, assessing,\ncorrecting, and reporting on management controls. OMB Circular A-130, \xe2\x80\x9cManagement\nof Federal Information Resources,\xe2\x80\x9d Appendix III dated November 30, 2000, establishes\npolicy for the management of Federal information resources. OMB Circular A-130,\nAppendix III establishes a minimum set of controls to be included in Federal Automated\nInformation Security Programs, assigns Federal agency responsibilities for the security\nof automated information, and links agency automated information security programs\nwith agency management control systems established in accordance with OMB Circular\nA-123.\n\nThe RRB has set forth agency-specific information security requirements in its\nadministrative circulars: Circular IRM-7, \xe2\x80\x9cSecurity Plans for Information Technology\nSystems,\xe2\x80\x9d dated May 22, 2000; IRM-8, \xe2\x80\x9cThe Information Security Program of the\n\n\n\n\n                                            1\n\n\x0cRailroad Retirement Board,\xe2\x80\x9d dated July 18, 2001; and IRM-11, \xe2\x80\x9cSecurity for Automated\nSystems,\xe2\x80\x9d dated June 17, 1994.\n\nIRM-8 delegates authority to administer the agency\xe2\x80\x99s information security program to\nthe Chief Information Officer. The Chief Information Officer is also the director of the\nRRB\xe2\x80\x99s Bureau of Information Services and is responsible for administration of both data\nprocessing and end-user computing as well as in-house systems development. In\nAugust 2001, the RRB appointed a new Chief Information Officer, filling a position that\nhad been vacated the previous April.\n\nOn October 30, 2000, the President signed into law the FY 2001 Defense Authorization\nAct (P.L. 106-398) including Title X, subtitle G, \xe2\x80\x9cGovernment Information Security\nReform (The Security Act)." 1 The Security Act requires annual agency program\nreviews , annual Inspector General security evaluations, an annual agency report to the\nOffice of Management and Budget (OMB), and an annual OMB report to Congress.\n\nThe full text of the OIG\xe2\x80\x99s report to OMB is included as Appendix I to this report.\n\nOBJECTIVES, SCOPE AND METHODOLOGY\n\nThe scope of this review was information system security at the RRB during May\nthrough September 2001.\n\nThe objective of this review was to fulfill the requirements of the Security Act by\nperforming an evaluation of the RRB\xe2\x80\x99s information system security program and\npractices including tests of the effectiveness of security controls in an appropriate\nsubset of agency systems.\n\nIn order to accomplish our objectives, we:\n\n     \xe2\x80\xa2\t reviewed laws, regulations, management control reports, policies, procedure and\n        security planning documents;\n     \xe2\x80\xa2 reviewed security incident reports, problem logs, and prior audits;\n     \xe2\x80\xa2\t interviewed staff and management with significant security responsibilities, such\n        as system administrators;\n     \xe2\x80\xa2\t assessed agency compliance with OMB requirements for security, disaster\n        recovery and contingency planning;\n     \xe2\x80\xa2\t reviewed mainframe global security settings and software rules controlled by\n        Computer Associates\xe2\x80\x99 Access Control Facility (ACF2), a commercial data\n        security product;\n     \xe2\x80\xa2   obtained and reviewed a listing of inactive mainframe user accounts;\n\n\n\n1\n    This legislation is also referred to by the acronym \xe2\x80\x9cGISRA.\xe2\x80\x9d\n\n\n\n                                             2\n\n\x0c    \xe2\x80\xa2\t tested a random sample of 120 agency employees to determine whether existing\n       controls had been effective in ensuring that all mainframe accesses had been\n       authorized, all authorizations had been documented and access rights had been\n       restricted to the requirements of each user\xe2\x80\x99s job;2\n    \xe2\x80\xa2\t reviewed the security settings within the Federal Financial System (FFS) to\n       assess the effectiveness of change-logging as implemented for that application.\n\n    \xe2\x80\xa2\t tested a non-random sample of 89 users of the PAR system to determine\n       whether their application-level privileges had been restricted to the requirements\n       of their employment; 3\n    \xe2\x80\xa2\t reviewed the data center access privileges of individuals to determine whether\n       their key cards appropriately restricted access to the minimum required by the\n       cardholders employment;\n    \xe2\x80\xa2\t tested a non-random sample of 9 systems development projects for compliance\n       with applicable policy and procedure;\n    \xe2\x80\xa2   tested a non-random sample of data tapes stored off-site for timely return;\n    \xe2\x80\xa2   obtained and analyzed a listing of LAN/WAN accounts; and\n    \xe2\x80\xa2\t reviewed the network account identifiers and status for a non-random sample of\n       42 LAN/WAN users.\n\nWe limited our evaluation of security for the end-user computing general support system\nto inquiries of LAN/WAN management, analysis of the user account population and\ndetailed tests of selected user accounts. Our initial interviews with management\nidentified weaknesses in the security provisions for the LAN/WAN system. These\nfindings, discussed in detail beginning on page 14 of this report, indicated that additional\ndetailed testing would not have furthered the objectives of this review.\n\nIn performing this review, we considered prior OIG audit findings and recommendations\nas well as third-party evaluations of information security at the RRB conducted at the\nrequest of the OIG:\n\n    \xe2\x80\xa2\t \xe2\x80\x9cInformation Systems Security Assessment Report,\xe2\x80\x9d Defensive Information\n       Operations Group, National Security Agency, June 2000;\n    \xe2\x80\xa2   \xe2\x80\x9cSite Security Assessment,\xe2\x80\x9d Blackbird Technologies, Inc., July 20, 2001; and\n    \xe2\x80\xa2   \xe2\x80\x9cSecurity Controls Analysis,\xe2\x80\x9d Blackbird Technologies, Inc., August 17, 2001.\n\n\n2\n  The sample of 120 employees was drawn from the population of agency\n\nemployees who were authorized users of the mainframe general support system\n\nor had been assigned an electronic mail address on the LAN/WAN general\n\nsupport system.\n\n3\n  The sample of 89 users of the PAR system was drawn from the population of\n\nindividuals who had access privileges other than \xe2\x80\x9cRead Only.\xe2\x80\x9d\n\n\n\n                                             3\n\n\x0cA summary of the findings of Blackbird Technologies, Inc. is presented in Appendix II to\nthis report.\n\nOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the audit objectives. Fieldwork was conducted at RRB\nheadquarters during May through October 2001.\n\n\n\n\n                                           4\n\n\x0c                                 RESULTS OF REVIEW\n\n\nInformation security is an area of material weakness in internal control over financial\nreporting.\n\nThe present information systems security program does not reduce to a relatively low\nlevel the risk that misstatements, in amounts material in relation to the financial\nstatements, could occur but not be detected within a timely period by employees in the\nnormal course of performing their assigned functions.\n\nOur review disclosed weaknesses throughout the RRB\xe2\x80\x99s information system security\nprogram. The most significant weaknesses relate to program management and access\ncontrols. Program management has been significantly undermined by a lack of training\namong key personnel. Access controls cannot be considered fully effective because of\nthe numerous weaknesses in password management in both the mainframe and\nLAN/WAN computing environments.\n\nThe inadequacies in password management and training identified during our review\nplace the RRB\xe2\x80\x99s financial information at risk of unauthorized modification or destruction,\nsensitive personal information at risk of inappropriate disclosure, and critical operations\nat risk of disruption. As a result, information system security is an area of material\nweakness in internal control over financial reporting.\n\nIn addition, security responsibilities are fragmented throughout the agency. The lack of\na strong framework with a central management focal point is the underlying cause of\nmany situations in which the controls that have been designed and put into operation\nare less than fully effective.\n\nThe Bureau of Information Services has taken, or is planning to take, corrective action\nin response to most of the recommendations presented in this report. However, bureau\nmanagement has noted that limited resources and other security priorities will make it\ndifficult to establish target dates for the implementation of recommendations that are the\nresponsibility of the newly created Risk Management Group.\n\nDetailed findings along with recommendations for corrective action are presented in the\nfollowing sections of this report. The full text of management\xe2\x80\x99s response is presented in\nAppendix III to this report.\n\nACCESS CONTROLS ARE INADEQUATE\n\nWeaknesses in the RRB\xe2\x80\x99s system of password management undermine the\neffectiveness of access controls.\n\nOMB Circular A-130 requires Federal agencies to implement and maintain a program to\nensure that adequate security is provided for all agency information collected,\n\n\n\n                                             5\n\n\x0cprocessed, transmitted, stored or disseminated in general support systems and major\napplications. The circular further provides that agencies ensure that each system\nappropriately uses effective security products and techniques, such as password\nprotection.\n\nThe RRB has not implemented an enforceable, effective password management\nprogram for its LAN/WAN and mainframe systems. As a result, RRB information\nsystems are vulnerable to unauthorized access and the confidentiality and integrity of\nsensitive personal information maintained in those systems may be compromised.\n\nThe present system of password management is inadequate because the agency is\nunable to police and enforce its recently adopted policy requiring the use of more\ncomplex password configurations. We also noted other password-related control\nweaknesses in both the LAN/WAN and mainframe computing environments, including:\n   \xe2\x80\xa2   passwords that never expire;\n   \xe2\x80\xa2   inactive, duplicate system accesses;\n   \xe2\x80\xa2   current employees with duplicate system accounts;\n   \xe2\x80\xa2   separated employees whose system privileges had not been revoked; and\n   \xe2\x80\xa2   accounts with which an employee-user could not be readily identified.\n\nIn addition, we identified the logon name and unencrypted password belonging to the\nsystem administrator of a major mainframe application by viewing a table in that\napplication.\n\nThe agency\xe2\x80\x99s vulnerability to unauthorized access was confirmed by Blackbird\nTechnologies, Inc., technical specialists under contract to the OIG. Using commercially\navailable software, the contractor was able to break nearly one-third of LAN/WAN user\npasswords within six minutes.\n\nThe RRB is in the process of implementing prior recommendations for improved\npassword management. The OIG will continue to monitor the implementation status of\nprior recommendations as part of the on-going audit follow-up process. We will assess\nthe effectiveness of the agency\xe2\x80\x99s completed corrective actions during future reviews and\nmake further recommendations as necessary.\n\n\nLACK OF TRAINING UNDERMINES SECURITY PROGRAM MANAGEMENT\n\nEmployees with decision-making responsibility for information system security have not\nhad adequate formal training in its theory, principles and practice. As a result, some\nemployees do not have an adequate knowledge base to support the security-related\ndecisions required by their positions.\n\nEffective management of an organization\xe2\x80\x99s workforce includes training. Management\nshould ensure that skills are continually assessed and that training is aimed at\ndeveloping skill-levels to meet changing organizational needs. OMB Circular A-130\n\n\n                                           6\n\n\x0cprovides that responsibility for ensuring adequate system security should be assigned to\nan individual trained in the technology used in the system and in providing security for\nsuch technology, including the management of security controls.\n\nDuring our review of information system security at the RRB, employees with key\nresponsibilities for both the general support systems and the major applications advised\nus that they had not had training in the theory and practice of system security. Many\nemployees with whom we spoke had input or decision-making responsibility for the\ndesign and implementation of security procedures and/or security-related software\nfeatures.\n\nThe deficiency in security-specific training exists because, although the RRB provides\ntraining in software and hardware to employees with technical responsibilities, course\nselection is typically based on employee requests and tends to be software-specific. It\nappears that neither the operating staff, nor higher levels of agency management,\nrecognized the potential long-term adverse impact that a lack of security-specific\ntraining could have on the security program as a whole.\n\nMany conditions cited for correction in this report were caused by a lack of adequate\ntraining. Management and staff cannot make good decisions without adequate\nknowledge and skills. The lack of training among key personnel has a wide-ranging\nimpact on planning and execution of information security for both the general support\nsystems and major applications. As a result, this weakness in the RRB\xe2\x80\x99s information\nsystem security program poses a significant risk to the confidentiality, integrity, and\navailability of the agency\xe2\x80\x99s information systems.\n\nRecommendation\n\n1.\t The Chief Information Officer should develop and implement a plan to provide\n    security-specific training to agency employees who have decision-making\n    responsibilities for information systems. The plan should provide for training in the\n    theory and practice of information systems security as well as training in the\n    implementation of the security features of specific applications.\n\nManagement\xe2\x80\x99s Response\n\nManagement concurs with the finding and recommendation.\n\n\n\n\n                                             7\n\n\x0cLACK OF A CENTRAL MANAGEMENT FOCAL POINT WEAKENS SECURITY\n\nThe RRB does not have a strong, centralized information system security program.\n\nThe General Accounting Office (GAO) has stated that a strong framework with a central\nmanagement focal point and ongoing processes to coordinate efforts to manage\ninformation security risks is a key part of an effective computer security program. We\nbelieve that the absence of such a framework and focal point at the RRB is the\nunderlying cause for many of the conditions cited later in this report.\n\nIn June 2000, the National Security Agency recommended that the RRB establish a\nformal security program, supported by upper management, with a full-time security\nofficer to serve as the focal point. They further recommended that the security office be\nstaffed with full-time, technical personnel who not only have the responsibility, but also\nhave the authority to enforce security.\n\nIn July 2001, the agency began the process of appointing a full-time security officer. As\nof December 31, 2001, RRB management was in the process of interviewing potential\ncandidates.\n\nSince the agency is in the process of implementing a prior recommendation in this area,\nwe will make no further recommendations for corrective action at the present time. We\nwill evaluate the effectiveness of changes to the RRB\xe2\x80\x99s management structure in future\nreviews and make additional recommendations as necessary.\n\nSECURITY PROGRAM DOES NOT FULLY COMPLY WITH OMB REQUIREMENTS\n\nThe RRB\xe2\x80\x99s information security program does not fully comply with the requirements\nestablished in OMB Circular A-130.\n\nOMB Circular A-130 establishes a minimum set of controls to be included in Federal\nautomated information security programs. The RRB is not in full compliance with the\nprovisions of OMB Circular A-130 because, although the RRB has implemented an\ninformation system security program, some required features of the program have not\nbeen maintained in the prescribed manner. Our review identified deficiencies in:\n\n      \xe2\x80\xa2   Security Plans\n      \xe2\x80\xa2   Independent Evaluation\n      \xe2\x80\xa2   Security Awareness Training\n      \xe2\x80\xa2   Incident Reporting\n      \xe2\x80\xa2   Disaster Recovery and Contingency Planning\n\nWe believe this condition exists because of the adverse impact that the absence of a\ncentral focal point for the agency-wide security program and the lack of security specific\ntraining has had on program management.\n\n\n\n                                            8\n\n\x0cAs a result, the RRB is not in full compliance with the provisions of OMB Circular A-130.\nControls intended to ensure the security of agency information systems may not be fully\neffective, placing the RRB at increased risk of loss, misuse or unauthorized access.\n\nSecurity Plans Are Outdated\n\nThe RRB has identified two general support systems and seven major application\nsystems for which formal security plans must be prepared pursuant to OMB Circular A-\n130. That circular requires that security plans be developed and maintained for all\nFederal computer systems that contain sensitive information.\n\nOMB Circular A-130 requires security controls be reviewed at least every three years.\nIn addition, the RRB\xe2\x80\x99s Administrative Circular IRM-7 calls for security plans to be\nupdated every two years.\n\nThe RRB\xe2\x80\x99s security plans are outdated. The security plan for the general support\nmainframe system was last updated in 1998. The plans for the general support\nLAN/WAN networks and major applications were last revised in 1995.\n\nDuring June 2001, the RRB began the process of reviewing and revising its security\nplans.\n\nIndependent Security Evaluations Are Not Performed\n\nThe RRB has not performed periodic, independent evaluations of systems security in\naccordance with OMB Circular A-130.\n\nOMB Circular A-130 requires that, at least every three years, an independent review or\naudit of the security controls for each major application should be performed. The\ncircular specifies that the review should be independent of the manager responsible for\nthe application.\n\nAlthough the RRB performs periodic reviews of system controls in conjunction with\npreparation of the agency\xe2\x80\x99s security plan and its management control review activity,\nthese reviews are not independent because they are conducted by the owners/users of\nthe systems.\n\nSecurity Awareness Training Is Not Adequate\n\nOMB Circular A-130 requires Federal agencies to establish a security awareness and\ntraining program for both agency and contractor personnel. The circular calls for both\ninitial training and on-going training to ensure that system users understand and abide\nby applicable rules.\n\nThe RRB provides very limited training, typically in the form of a written notice, to first-\ntime system users and does not provide refresher training beyond periodic written\n\n\n\n                                              9\n\n\x0creminders. New system users receive an information booklet \xe2\x80\x9cInformation Systems\nSecurity Awareness Training for the Railroad Retirement Board (G-15).\xe2\x80\x9d New users are\nalso expected to sign RRB Form G-15a, \xe2\x80\x9cEmployee Acknowledgment Statement for the\nInformation Resources Security Program of the Railroad Retirement Board.\xe2\x80\x9d\n\nHowever, we were unable to locate a signed Form G-15a for 93 employees of a sample\nof 98 agency employees. 4 Based on this result, we must conclude that the RRB cannot\ndemonstrate that it has provided adequate training and notice of possible sanctions for\nmisuse of agency information systems.\n\nThe present program is not adequate to support adverse actions against employees\nwho may misuse or compromise agency information systems. The reliance on written\nnotice alone may not support an agency claim that an employee knew his or her rights,\nresponsibilities and potential penalties for misuse.\n\nIncident Reporting Procedures Are Not Sufficient\n\nOMB Circular A-130 calls for Federal agencies to establish incident response capability\nto ensure that they can provide help to users when a security incident occurs in the\nsystem and to share information concerning common vulnerabilities.\n\nThe RRB has not established comprehensive procedures for reporting information\nsecurity incidents. Existing procedures are not sufficiently specific to ensure that all\nincidents will be documented and shared internally and/or externally as appropriate to\nthe situation.\n\nDisaster Recovery and Contingency Planning Is Incomplete\n\nOMB Circular A-130 requires the RRB to develop, maintain and test disaster recovery\nand continuity of operations plans for its general support systems and major\napplications. The objective of these plans is to provide continuity of data processing\nsupport if normal operations are interrupted.\n\nDuring our audit, we observed that the RRB\xe2\x80\x99s disaster recovery plan is outdated and\nincomplete. The plan has not been updated since September 1999 and does not\ninclude recently developed systems in its critical applications report, nor does it provide\nfor the special equipment needs of those systems.\n\nIn addition, disaster recovery tests have not consistently included LAN/WAN\napplications other than establishing connectivity and general administration. The RRB\nhas not verified results for LAN/WAN applications since August 1999.\n\n\n\n\n4\n  The original sample size was 120 randomly selected employees. We suspended\n\ntesting based on the low identification rate for the first 98 items tested.\n\n\n\n                                            10\n\n\x0cRecommendations\n\n\nThe Chief Information Officer should:\n\n\n   2.\t ensure that the RRB\xe2\x80\x99s security plans are updated timely and that independent\n       comment and advice is sought as appropriate;\n   3.\t ensure that periodic independent evaluations of system security for major\n       applications are performed;\n   4.\t provide ongoing security awareness training to agency employees and\n       contractors;\n   5.\t establish effective guidelines and procedures for identifying and reporting\n       security incidents;\n   6. update the overall disaster recovery plan; and\n   7. include LAN/WAN applications in the disaster recovery testing process.\n\nAs previously discussed, the RRB is in the process of appointing a full-time security\nofficer. Accordingly, we make no recommendation for organizational change.\n\nManagement\xe2\x80\x99s Response\n\nManagement concurs with recommendations #3, #4, #5, #6, and #7.\n\nManagement neither concurred with, nor rejected recommendation #2. They noted that\nrecommendation #2 is similar to recommendations issued in connection with two earlier\naudits and they plan to request that these two prior recommendations be removed from\nthe OIG\xe2\x80\x99s audit follow-up program based on the \xe2\x80\x9ccompleted GISRA reviews and our\ncommitment to update the plans.\xe2\x80\x9d\n\nOIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response\n\nThe OIG tracks the status of all recommendations with which management has agreed\nuntil they have been implemented. Accordingly, recommendation #2 will remain in the\nOIG\xe2\x80\x99s audit follow-up system until corrective action has been implemented or the\nrecommendation has been formally rejected.\n\n\nMAINFRAME ADMINISTRATION NEEDS IMPROVEMENT\n\nSecurity administration of the mainframe general support system is not fully effective\nand needs improvement.\n\nOMB Circular A-130 requires that Federal agencies implement and maintain a program\nto ensure that adequate security is provided for all agency information collected,\nprocessed, transmitted, stored or disseminated in general support systems.\n\n\n                                           11\n\n\x0cAs a result of weaknesses in the administration of mainframe security controls, the\nconfidentiality, security and integrity of the data processing system is at-risk of\nunauthorized modification, loss and disclosure. Our review identified weaknesses\nrelated to the maintenance of user accounts, the granting of system privileges, as well\nas the use of security rules and logs that indicate existing controls are not fully effective.\nIn addition, we noted the duties of the ACF2 system administrator, a position critical to\nmainframe security, have not been formalized.\n\nThis condition exists because of the adverse impact that the absence of a central focal\npoint for the agency-wide security program and the lack of security specific training\nhave had on program management.\n\nAccount Maintenance\n\nThe Bureau of Information Services could improve routine maintenance to ensure that\nthe privileges of separated employees are terminated promptly, all passwords expire\nperiodically, inactive accounts are removed, and all users can be identified.\n\nDuring our review of mainframe system security, we identified:\n\n   \xe2\x80\xa2\t 9 user accounts for which the passwords would never expire (8 contractors, 1\n      RRB employee);\n   \xe2\x80\xa2 7 employees with inactive, duplicate system accesses;\n   \xe2\x80\xa2 2 separated employees with active accounts; and\n   \xe2\x80\xa2 1 individual that could not be readily identified.\n\nLeast Privilege\n\nWe identified weaknesses in the application of the principle of \xe2\x80\x9cleast privilege\xe2\x80\x9d in the\nmainframe environment. As a result, individuals have received and retained access to\nsystem features that they did not require for the performance of their assigned duties.\n\n       \xe2\x80\xa2\t Our review identified 32 individuals, including one non-employee on\n          temporary detail to the RRB, who had been granted powerful privileges that\n          they may not have required. These individuals were able to create, rename\n          and delete files and data within the Federal Financial System. These are\n          powerful privileges that should be closely restricted.\n       \xe2\x80\xa2\t The Bureau of Information Services does not maintain documentation to\n          support the granting of special, high-risk, system privileges within ACF2. In\n          some cases, these privileges may be required for a limited time. However,\n          current procedure does not call for documentation of the reason for granting\n          the privileges, the timeframe during which they should be retained nor does it\n          provide for monitoring to determine whether the need for these rights\n          continues to exist.\n\n\n\n                                             12\n\n\x0c       \xe2\x80\xa2\t The agency does not have an up-to-date listing of current ADVANTIS users\n          and does not evaluate the need for on-going access on a periodic basis. The\n          ADVANTIS system is a communications link that provides RRB employees\n          with access to external data systems.\n\nSecurity Logs\n\nThe ACF2 administrator does not use mainframe security logs effectively to detect and\nprevent security incidents.\n\nSecurity logs may disclose situations that require timely action to prevent further risk to\nthe agency\xe2\x80\x99s information systems. If the logs are not reviewed promptly, security\nincidents may go undetected and unreported. The ACF2 system creates a security log\nfor all entries into the mainframe environment. These logs are intended to document\nsecurity related incidents such as failed attempts at unauthorized actions and the use of\nhigh-risk special privileges.\n\nDuring our review, we were advised that the ACF2 systems administrator reviews\nsecurity logs only to confirm suspected security incidents. The administrator finds the\nlogs too voluminous to permit the routine periodic reviews that would make them an\neffective security tool.\n\nIn addition, the ACF2 security logs do not capture information about the use of the most\npowerful, high-risk access privileges (termed \xe2\x80\x9cAllocate\xe2\x80\x9d) that permit holders to create,\ndelete, or rename files.\n\nContinuity of Operations\n\nThe Bureau of Information Services has not formalized the procedures for the job of the\nACF2 administrator. The ACF2 system controls mainframe security for critical\napplications and the systems administrator is responsible for system implementation\nand control activities. In the event that the systems administrator is not available to train\na successor, the quality of security of ACF2 applications could be adversely affected.\n\nOutdated ACF2 Security Rules\n\nThe ACF2 system controls the activities of the various software products that operate in\nthe mainframe environment. ACF2 defines the scope of activities for each user of the\nmainframe system. One type of security rule is the user profile. User profiles control\nthe mainframe application accesses of individuals within the agency user community.\nAnother type of security rule controls the definition of privileges that govern access to\nfiles and programs by technical staff. This type of rule may apply to individual users or\ngroups of users.\n\n\n\n\n                                            13\n\n\x0cThe ACF2 system includes outdated security rules for obsolete systems and software\nas well as user groups. Outdated security rules clutter the security management\nenvironment and weaken the overall information security structure.\n\nRecommendations\n\nWe recommend that the Bureau of Information Services:\n\n    8.\t develop controls to ensure that the access rights of separated employees,\n        temporary workers and contractors are terminated timely;\n    9.\t develop controls to ensure that the principle of least privilege is applied on an\n        ongoing basis;\n    10.\t implement security logs as an effective control by ensuring that all critical\n         activities are subject to logging and that logs are reviewed at least weekly;\n    11. develop formal procedures for the ACF2 system administrator; and\n    12.\t implement a control to ensure that outdated security rules are deleted from\n         ACF2 timely.\n\nManagement\xe2\x80\x99s Response\n\nManagement concurs with recommendations #9 and #11 and has agreed to take the\nrecommended corrective action. Management has stated that recommendations #8,\n#10, and #12 have already been implemented and plans no further corrective action.\n\nOIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response\n\nRecommendations #8, #10, and #12 will remain in the OIG\xe2\x80\x99s audit follow-up system until\nthe Bureau of Information Services has submitted documentation supporting\nimplementation.\n\nLAN/WAN SECURITY ADMINISTRATION NEEDS IMPROVEMENT\n\nSecurity administration for the LAN/WAN general support system needs improvement.\nThe present system of procedures and controls does not appear adequate to prevent\nthe loss, misuse or unauthorized access to, or modification of, data stored in the\nsystem.\n\nOMB Circular A-130 requires agencies to implement and maintain a security program to\nensure that adequate security is provided for all agency information collected,\nprocessed, transmitted, stored or disseminated in general support systems. The\nCircular emphasizes management controls affecting individual users of information\ntechnology and requires periodic independent reviews of security in both general\nsupport systems and major applications.\n\n\n\n\n                                           14\n\n\x0cThe present configuration of staffing, hardware and software has resulted in a system\nthat cannot be independently reviewed by agency management or third parties.\nLAN/WAN administrators did not have the software support to extract detailed\ninformation about LAN/WAN user accounts and system privileges in an efficient\nmanner. Absent sufficient staff to assist auditors or other third parties in extracting the\nrequired information via a time-consuming, on-line review, the LAN/WAN system is, for\nall practical purposes, not auditable.\n\nAs part of the audit, we requested detailed information concerning the system privileges\nof LAN/WAN users. LAN/WAN administrators were not able to supply all required\ninformation from the system to permit timely review. They appeared to be pressured for\ntime and hampered in their efforts by a lack of training in software and information\nsystem security. For example, responsible staff were unable to provide auditors with a\nlisting of system users until the auditors had researched and demonstrated the\ncapability of current software to support the request.\n\nOnce obtained, we analyzed the listing of LAN/WAN accounts and selected 42 for\nreview of the identifying information and account status. The selection of accounts for\nfurther review was non-random and biased towards accounts that appeared to be\nquestionable. The detailed review of these accounts revealed that:\n\n       \xe2\x80\xa2   20 LAN/WAN users had been granted a second account;\n       \xe2\x80\xa2\t 11 accounts were assigned to former RRB employees, of which only four had\n          been disabled;\n       \xe2\x80\xa2\t four accounts assigned to temporary workers had not been disabled when\n          their assignment/detail ended;\n       \xe2\x80\xa2\t five accounts with which an employee-user could not be readily identified\n          from the information contained in the system; and\n       \xe2\x80\xa2   eight accounts for which the password will never expire.\n\nA detailed description of the specific control weaknesses that we identified during this\naudit follows. These weaknesses appear to be the result of the adverse impact that the\nabsence of a centralized security program and lack of training has had on program\nmanagement.\n\nAccount Maintenance\n\nBased on our review, it appears that existing controls are not adequate to ensure that all\nholders of user accounts can be identified and that changes in employment status are\nrecognized timely. Former employees whose accounts had not been disabled included\nfive individuals who had separated more than a year prior to our review.\n\nSome of the accounts for which the passwords would never expire had been assigned\nto contractors and group-users. One of the accounts with a non-expiring password had\n\n\n\n                                            15\n\n\x0cbeen assigned to a former employee whose account had not been disabled and who\nhad separated from the agency in March 2000.\n\nLeast Privilege\n\nLeast privilege is the practice of restricting a user\xe2\x80\x99s access (to data files, processing\ncapability, or peripherals) or type of access (read, write, execute, delete) to the\nminimum necessary to perform his or her job. The principle of least privilege is one of\nthe controls required by OMB Circular A-130 for all general support systems.\n\nThe LAN/WAN administration function does not include periodic internal review and re-\nauthorization of access privileges to the various LAN/WAN applications. As a result, the\nagency cannot ensure that user accesses have been restricted to the minimum\nnecessary to perform their job in accordance with the principle of \xe2\x80\x9cleast privilege.\xe2\x80\x9d\n\nWe did not attempt to quantify the effect that this control weakness has had on the\npopulation of system users because the existing configuration of hardware and software\nwould not support an efficient review process. System administrators were unable to\nextract information about the privileges of individual account holders except through an\nadministrator assisted screen-by-screen online review. This lack of software support\nwill hamper management in implementing an effective control.\n\nSecurity Logs\n\nLAN/WAN security logs are not reviewed routinely by systems administrators. As a\nresult, incidents that could have an impact on information security may not be detected\nand reported.\n\nDuring the audit, we were advised that current staffing levels do not permit routine\nreview of system logs that could disclose potential violations of LAN/WAN security.\nLAN/WAN systems administrators review security logs primarily to research or\ndocument events that have already come to their attention.\n\nWorkstation Connectivity\n\nThe RRB has not implemented policy, procedures, and internal controls to address\nsecurity issues resulting from inter-connection of personal computer hard drives. As a\nresult, information stored on the hard drives of personal computers connected via the\nagency LAN/WAN system may be vulnerable to unauthorized access, loss and misuse.\n\nDuring the audit, OIG auditors were able to open files on the hard-drives of four non-\nOIG, agency workstations from remote locations. One of the OIG auditors had never\nbeen granted access privileges to the agency\xe2\x80\x99s LAN/WAN. None of the viewable\nworkstations had been password protected.\n\n\n\n\n                                            16\n\n\x0cWe were advised that the four workstations in the agency LAN/WAN had been\nindividually configured to permit file-sharing with other workstations. As a result of this\nconfiguration, other users of the agency LAN/WAN and all users of the OIG LAN/WAN,\nbecause of its trust relationship with the RRB\xe2\x80\x99s LAN/WAN, had access to every file\ninstalled on those workstations, including the operating system and application\nsoftware.\n\nRecommendations\n\nWe recommend that the Bureau of Information Services develop:\n\n   13.the facilities to support detailed third-party security evaluation of user accounts\n        and privileges;\n\n   14.a training program to ensure that LAN/WAN administration staff has adequate\n       knowledge and skills to implement an effective security program; and\n\ncontrols to ensure that:\n\n   15. user accounts fully identify the account holder;\n   16. unnecessary duplicate user accounts are disabled or deleted;\n   17. the LAN/WAN privileges of separated employees are curtailed promptly;\n   18.\t the LAN/WAN privileges of temporary workers and contractors whose\n        assignments have ended are terminated promptly;\n   19. non-expiring passwords are used only when necessary;\n   20.\t the principle of least privilege is applied to the LAN/WAN general support\n        system on an ongoing basis; and\n   21.\t workstation connectivity is controlled in accordance with a management policy\n        designed to minimize risk of loss or misuse.\n\nManagement\xe2\x80\x99s Response\n\nManagement concurs with recommendations #13, #14, and #21 and has agreed to take\nthe recommended corrective action.\n\nAlthough management concurs with recommendation #20, they believe that the current\noperating system will not support development of the recommended control. They will\nexamine this recommendation when a new operating system has been implemented.\n\nManagement has stated that recommendations #15, #16, #17, and #18 have already\nbeen implemented and plans no further corrective action.\n\n\n\n\n                                            17\n\n\x0cManagement does not concur with recommendation #19 stating that they \xe2\x80\x9calready have\na control procedure for non-expiring passwords. They are only used for non-user name\nspecific or generic ids.\xe2\x80\x9d\n\nOIG\xe2\x80\x99S Comments on Management\xe2\x80\x99s Response\n\nRecommendations #15, #16, #17, #18 will remain in the OIG\xe2\x80\x99s audit follow-up system\nuntil the Bureau of Information Services has submitted documentation supporting\nimplementation.\n\nIt is regrettable that management did not voice their position concerning\nrecommendation #19 during the discussion period that preceded issue of the draft\nreport for formal comments. As presented in our findings, we identified instances in\nwhich non-expiring passwords had not been restricted in accordance with\nmanagement\xe2\x80\x99s stated policy. This recommendation will remain in the OIG\xe2\x80\x99s audit\nfollow-up system pending further discussion with the Bureau of Information Services.\n\n\n\n\n                                          18\n\n\x0cAPPLICATION LEVEL SECURITY SHOULD BE IMPROVED\n\nOIG tests of user mainframe access profiles indicate that existing controls are not fully\neffective and that the security-awareness of system administrators could be improved.\nAs a result, agency information systems may not be adequately protected from misuse\nor loss.\n\nAs discussed previously, OIG auditors were unable to complete audit tests of LAN/WAN\nsecurity. Accordingly, our detailed findings pertain only to mainframe applications.\nHowever, Blackbird Technologies, Inc., during their security assessment of the\nLAN/WAN system noted that several LAN/WAN database applications allow easy\naccess to the raw table data, as well as to form templates and modules leaving the data\nvulnerable to loss or unauthorized change. They also noted that source code in related\napplications could be easily viewed.\n\nOMB Circular A-130 requires that all Federal agencies implement and maintain a\nprogram to ensure that adequate security is provided for all agency information\ncollected, processed, transmitted, stored, or disseminated in major applications. The\ncircular also requires periodic independent reviews of security in both general support\nand major application systems.\n\nWe believe the weaknesses in mainframe and LAN/WAN security exist because of the\nadverse impact that the absence of a centralized security program and the lack of\nsecurity-specific training have had on program management.\n\nLeast Privilege\n\nThe RRB has implemented controls intended to ensure that users of all major\napplications have been awarded privileges that are necessary to perform their jobs in\naccordance with the principle of \xe2\x80\x9cleast privilege.\xe2\x80\x9d The principle of least privilege is one\nof the controls required by Circular A-130 for all general support systems.\n\nThe primary means of ensuring that system privileges are consistent with job\nrequirements is periodic review and re-authorization of access rights. However, some\napplications are not subject to the review and re-authorization process. In addition,\nresponsibility for this process is scattered throughout the agency. The responsibility for\ninitiating the review and re-authorization process rests with the Bureau of Information\nServices for some applications and with the system owner for others.\n\nDuring our audit, we observed inconsistencies in the timing, documentation and\neffectiveness of the review and re-authorization process. The review and re-\nauthorization process:\n\n       \xe2\x80\xa2\t has been performed for Personnel/Payroll and Financial Management\n          applications less than annually;\n\n\n\n\n                                             19\n\n\x0c        \xe2\x80\xa2\t has not been performed for the FAST, SECUTAB, WILBUR, SURGE, and\n           ZIPCO; 5 and\n        \xe2\x80\xa2\t typically relies on exception reports rather than positive confirmation of\n           continuing user needs.\n\nIn order to test the effectiveness of agency controls, we compared the user profiles of\n120 randomly selected employees with their job titles to determine whether their\nmainframe system application privileges were consistent with their present duties.6\n\nOur review determined that 102 of the 120 employees in the sample (85%) had been\ngranted privileges that were consistent with the needs of their position based on\nconsideration of their job title (60 employees) or examination of written authorizations\nsupporting the privileges as granted (42 employees).\n\nBased on our review of job titles and the supporting documentation, we concluded that\n18 of the 120 employees in the sample (15%) had been granted privileges that\nappeared to be inconsistent with their current employment comprised of:\n\n    \xe2\x80\xa2\t 4 employees whose access privileges were inconsistent with the supporting\n       written documentation;\n    \xe2\x80\xa2\t 2 employees for whom the supporting documentation pertained to a prior\n       position; and\n    \xe2\x80\xa2   12 employees for whom no supporting documentation was in the file for review.\n\nThe 18 user profiles questioned by the audit indicate that the controls intended to\nensure that the principle of least privilege has been implemented at the application level\nare not fully effective and should be improved.\n\nSystem Administrators\n\nImplementation of information security at the application level has been adversely\nimpacted by the lack of security-specific training among systems administrators. In\naddition, the RRB\xe2\x80\x99s system of information controls does not include reviews of system\nadministrator activities that could have disclosed control weaknesses and the related\ntraining deficiencies.\n\nSystems administrators for major applications have discretion concerning the\nimplementation of application security features. During our review, we identified the\nfollowing conditions that might have been questioned during an independent review of\nsystems administrator activity:\n\n5\n FAST, SECUTAB WILBUR, SURGE AND ZIPCO are mainframe applications that support\n\nthe agency\xe2\x80\x99s benefit payment operations.\n\n6\n  A scope limitation, described in our discussion of the LAN/WAN general\n\nsupport system, prevented us from performing a similar test for LAN/WAN\n\napplications.\n\n\n\n                                             20\n\n\x0c      \xe2\x80\xa2\t an unencrypted system password for a user account with system\n         administrator privileges was viewable in FFS tables;\n      \xe2\x80\xa2\t employees who administer the security features of the RUCS and FAST\n         systems were also required, as part of their duties, to enter transactions for\n         processing;7 and\n      \xe2\x80\xa2\t logs that capture changes to data stored in Federal Financial System and\n         Program Accounts Receivable System tables are not created for all tables\n         that permit direct data entry.\n\nRecommendations\n\nThe Bureau of Information Services should:\n\n    22.\t include all systems in the review and re-authorization process and mandate\n         the frequency of the process for each system;\n    23.\t require a written response for all users during the review and reauthorization\n         process; and\n    24.\t implement independent reviews of the system administrator functions\n         throughout the agency.\n\n\nManagement\xe2\x80\x99s Response\n\nManagement concurs with recommendations #22 and #24 and has agreed to take the\nrecommended corrective action. Management has stated that recommendation #23\nhas already been implemented and plans no further corrective action.\n\nOIG\xe2\x80\x99S Comments on Management\xe2\x80\x99s Response\n\nRecommendation #23 will remain in the OIG\xe2\x80\x99s audit follow-up system until the Bureau of\nInformation Services has submitted documentation supporting implementation.\n\n\nSYSTEMS DEVELOPMENT\n\nDocumentation for the systems development lifecycle has not been consistently\nmaintained. Existing controls are not adequate to ensure that all documentation can be\nlocated and that it is adequate to its intended purpose. As a result, the Bureau of\nInformation Services has not adequately documented their performance of some\nsecurity-related tasks that are a part of the systems development life cycle.\n\n\n7\n  RUCS and FAST are mainframe applications that support the RRB\xe2\x80\x99s benefit\n\npayment operations.\n\n\n\n                                           21\n\n\x0cOMB Circular A-130 mandates consideration of systems security throughout the\nsystems development life cycle.\n\nTesting and Approval of Programs\n\nThe RRB has procedures intended to ensure that only programs and program changes\nthat have been tested and approved by users are placed into operation. The Bureau of\nInformation Services documents testing and approval of new programs and program\nchanges manually using RRB Form G-872, \xe2\x80\x9cSign-Off Sheet.\xe2\x80\x9d\n\nHowever, current documentation is incomplete because it does not fully identify the\nversion of the program that was tested and approved. Since there may be multiple\nversions of a program before it is approved and placed into production, the lack of a\nspecific audit trail increases the risk that:\n\n   \xe2\x80\xa2   an unapproved program may be placed into production, or\n   \xe2\x80\xa2\t a conflict may arise over responsibility for a program that does not function\n      satisfactorily after being placed into production.\n\nIn addition, for one of the nine systems development projects reviewed during the audit,\nForm G-872 could not be located for three of the 15 programs that had been placed into\nproduction.\n\nConsideration of Security in Systems Development\n\nCurrent agency procedure requires execution of RRB Form G-402 \xe2\x80\x9cSecurity Profile,\xe2\x80\x9d or\na similar document, for each automated application in development. The purpose of\nthis form is to evidence the consideration of information security during the development\nof a new system or program changes that affect applications, information or processes.\nWe identified two projects (of the nine reviewed during the audit) for which RRB Form\nG-402 had not been completed. As a result, the consideration of security in the\ndevelopment of the application could not be verified.\n\nCost Estimating Process\n\nCurrent procedure requires that the Bureau of Information Services document initial cost\nestimates for new systems development projects using RRB Form G-436b, \xe2\x80\x9cCost\nEstimate for ADP Project Service.\xe2\x80\x9d For one of the nine systems development projects\nfor which we reviewed required documentation, the original Form G-436b was not\navailable for review.\n\n\n\n\n                                           22\n\n\x0cRecommendations\n\nThe Bureau of Information Services should strengthen controls to ensure that all\nactivities in the system development lifecycle are adequately documented by:\n\n    25.\t revising current procedure to require full identification of the version of the\n         program that was tested and approved when the G-872 is executed; and\n    26.\t developing a control to ensure that forms G-402 and G-436b are executed timely\n         and maintained for review.\n\n\nManagement\xe2\x80\x99s Response\n\n\nManagement concurs with recommendations #25 and #26.\n\n\n\nKEY CARD ACCESS TO THE DATA CENTER\n\nThe key card access system that is used to restrict physical access to the RRB\xe2\x80\x99s data\ncenter is not fully effective. As a result, the agency\xe2\x80\x99s risk of loss is increased.\n\nThe principle of least privilege dictates that a user\xe2\x80\x99s access to data files, processing\ncapability or peripherals be restricted to the minimum necessary to perform his or her\njob.\n\nExisting controls were not effective in detecting the granting of unnecessary privileges.\nAlthough the Bureau of Information Services states that it has implemented an informal\nmanual review procedure using printed listings from the keycard system, no review\ndocumentation was available for examination during our audit.\n\nThe RRB\xe2\x80\x99s data center is comprised of 10 separate locations containing mainframe and\nLAN/WAN hardware, data communications equipment and data storage facilities. Each\nlocation is secured using a key card system. Access cannot be obtained without a\nkeycard; the keycard\xe2\x80\x99s coding determines which of the 10 locations may be accessed.\n\nDuring our review of the access privileges of key card holders, we identified an\nindividual who had access to eight data center locations which was seven more than the\nsingle area required to perform his job.\n\nRecommendation\n\n27.\t The Bureau of Information Services should develop a control to identify errors in\n     the access profiles of key cardholders.\n\n\n\n\n                                            23\n\n\x0cManagement\xe2\x80\x99s Response\n\nManagement has stated that recommendation #27 has already been implemented and\nplans no further corrective action.\n\nOIG\xe2\x80\x99S Comments on Management\xe2\x80\x99s Response\n\nRecommendation #27 will remain in the OIG\xe2\x80\x99s audit follow-up system until the Bureau of\nInformation Services has submitted documentation supporting implementation.\n\n\nAUTOMATED FOLDER CONTROL SYSTEMS IS NOT PASSWORD PROTECTED\n\nThe decision to permit unrestricted access to one of the agency\xe2\x80\x99s folder control systems\nis not documented. As a result, the RRB does not have adequate assurance that risk\nhas been properly considered in the security provisions for this system.\n\nThe RRB uses mainframe applications to track the location of RRB claim folders. Claim\nfolders contain the paper documentation relating to benefit payment activity. Until the\nrecent implementation of imaging technology, every claim for benefits was documented\non paper and filed in a claim folder.\n\nThe Automated Folder Control System (AFCS) maintains the folder location history for\nthe retirement, survivor and disability programs. The Unemployment Folder Control\nSystem (UFCS) tracks the claim folders used in the Unemployment and Sickness\nprograms.\n\nThe AFCS is not password protected for general use. Although access to critical\nadministrative functions has been restricted, anyone with physical access to mainframe\nscreens can order folders from the off-site storage facility or change folder location\ncodes within headquarters. Since the system is not password protected for routine\ntransactions, it does not capture the identity of users who enter transactions.\n\nDecisions concerning security should be risk-based, documented and periodically\nsubject to review. The AFCS was originally implemented nearly 20 years ago and the\ndecision to permit unrestricted access to routine transactions appears to date from that\ntime. The AFCS is administered jointly by the Bureau of Supply and Service and the\nOffice of Programs. Both organizations have appointed a system administrator; neither\nis aware of the existence of a more recent evaluation.\n\nThe UFCS is password protected for all transactions.\n\nRecommendation\n\n28.\t The Chief Information Officer should initiate an evaluation of the security needs of\n     the AFCS and UFCS.\n\n\n\n                                           24\n\n\x0cManagement\xe2\x80\x99s Response\n\n\nManagement concurs with the recommendation.\n\n\n\nAPPENDICES AVAILABLE UPON REQUEST.\n\n\n\n\n\n                                      25\n\n\x0c'